You don’t need an Internet-connected smartphone to send out a tweet. In fact, very few people know that tweets can be sent out through a text message. However, users who do tweet from their cellphones via SMS could have their accounts easily hacked. An exploit detailed by researcher Jonathan Rudenberg reveals “Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account” by spoofing the phone number associated with the account. Rudenberg reports that unless a PIN number is set up (not available in the U.S.) to authorize tweets, users are vulnerable. Although the exploit was reported to Twitter’s security team in August, Rudenberg says the social network still hasn’t closed the hole, despite asking him to refrain from publishing his finding. Rudenberg also said in his blog post that he found similar SMS-related exploits with Facebook (FB) and Venmo that have since been patched.
ArsTechnica reached out to Twitter, but didn’t receive any response on Rudenberg’s exploit discovery. Rudenberg recommends users disable SMS tweeting and to turn on PIN authorization if it’s available in their regions.
While most people send tweets via the Web or Twitter’s apps, an increasing amount of users in areas in developing nations still rely heavily on SMS to get their tweets out. In recent years, tweeting through SMS has been especially important in aiding protesters and rebels in events such as last year’s Egyptian Revolution.
UPDATE: Twitter posted on its Engineering Blog that Twitter accounts using SMS to tweet aren’t vulnerable to hijacking because in the U.S. tweets are routed over the shortcode 40404, “which eliminates the possibility of an SMS spoofing attack to those numbers.”